At-A-Glance

Cisco Identity Services Engine (ISE)

ALL-IN-ONE ENTERPRISE POLICY CONTROL

Introduction
Today, many enterprises are flooded with personally owned mobile devices, in addition to IT, physical security, and other devices. This means more productivity and a new class of threats. For IT to control device access while providing a secure seamless worker experience is hard enough, but doing it without increasing costs calls for a completely new technology. Its here today. Its called the Cisco Identity Services Engine, or ISE, and it offers a One Policy control point for identity, access control, and device security across wired, wireless, and VPN networks. Through complete, automated features for BYOD and guest access, employees and guests can use the device of their choice while integration with mobile device management (MDM) solutions to endure device security before allowing access to work resources. IT can assure identity and account for all network attached devices with the assurance that company resources are protected by the strong access control features that are embedded in the Cisco network.
Comprehensive Wired, Wireless, VPN Security
Rigorous Identity Enforcement Extensive Policy Enforcement
SEC PCI HIPAA FISMA

Security Compliance

Better Worker Productivity

Automated Onboarding Automated Device Security Dependable Anywhere Access

Product Overview
ISE offers tight integration of identity services in a single RADIUS-based product from Cisco, the world leader in security, mobility, access control, and networking. It starts with rigorous identity enforcement that includes the industry-first automatic device feed service to keep the device profiler current with the latest smartphones, tablets, mobile computing devices, printers, servers, badge scanners, video surveillance cameras and even specialized mobile computing devices used in the retail, healthcare, and manufacturing. The product identifies a device, the user ID, location, time, and media and creates a contextual identity, applies a policy, and dynamically provisions the network so workers get dependable access to their resources from virtually anywhere. And IT professionals can maintain control and manage control policies network-wide from a single dashboard so that compliance for audits and regulatory demands can be validated.

Lower Operations Costs

TrustSec
Operational Embedded Enforcement Next-Generation Policy Networking

ISE offers an easy on-boarding experience for BYOD (bring your own device) and guest workers so that personal devices can be secured and granted access via a simple self-service portal and meet security policy. And for comprehensive device security, ISE ensures a seamless integration with market leading Mobile Device Management (MDM) platforms to ensure enhanced device security and policy compliance. Whats more, ISE can be provisioned to give workers the option to provision MDM on their device for full company access, or refuse MDM and receive only Internet access.

2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

At-A-Glance

With ISE, IT professionals have the ability to access device details for reporting and troubleshooting. The worker, device, and policy information can be exported on demand to Cisco Prime, a powerful network lifecycle management solution for end-to-end troubleshooting from a single pane of glass. This functionality, along with automated provisioning, means IT professionals spend less time resolving end-user issues. Since device sensing capabilities already exist in most of Cisco access switches and wireless controllers, there is often no need for additional extra overlay appliances or a rip-and-replace infrastructure deployment plan. In addition, ISE is the policy control point for the next generation policy networking, Cisco TrustSec, which controls access from the network edge to the resource. This extends the value of the ISE investment while virtually ending the continual demands of VLAN, access control lists, and firewall rule administration. Cisco ISE now includes bootstrap wizards that make it easier to deploy across the Enterprise in cookie cutter fashion. The product is designed to support up-to 250,000 simultaneous endpoints, ensuring seamless onboarding, roaming, and network access control throughout a distributed Enterprise. With over 2,000 customers using this revolutionary product today, including a number of Fortune 500 companies and government agencies Cisco ISE is paving the way for greater stronger security while improving worker productivity and lowering operations costs.

Components of a Cisco Identity Services Engine (ISE) Deployment

Cisco Device Feed
Real-time Updates Network Analysis All-in-one Enterprise Policy Control

MDM Server
Device Security Provisioning

Policy Administration

Cisco Prime

Identity Services Engine

Network Enforcement

Embedded Device Sensing and Enforcement

Cisco Catalyst & Nexus Switches, Wireless Controllers, ASA, ISR, and ASR Infrastructure

Device Enforcement

NAC Agent
Device Posture

AnyConnect Agent
Seamless Secure Access

MDM Agent
Device Security

Devices
BYOD Assets IT Assets Corporate Assets Specialized Assets

Key Features
The Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and VPN access, leading to more productive workers and lower operations costs. When operating in a network, ISE provides the following key features: Rigorous Identity Enforcement ISE offers the industrys most extensive device profiler to classify each device; match it to its user or function and other attributes, including time, location, and network; and create a contextual identity so IT professionals can apply granular control over who and what is allowed on the network. The feature profiles devices at the network edge using the sensing features embedded in Cisco devices. The ISE profiler includes the device feed service* to keep it updated with new and more diverse device types so its easy for IT to identify virtually all devices on the network.

Extensive Policy Enforcement Based on the users or devices contextual identity, ISE sends secure access rules to the network point of access so IT is assured of consistent policy enforcement whether the user or device is trying to access the network from a wired, wireless, or VPN connection. Security Compliance A single dashboard simplifies policy creation, visibility, and reporting across all company networks so its easy to validate compliance for audits, regulatory requirements, and mandated federal 802.1X guidelines. Automated Onboarding The products self-service registration portal for BYOD, guest, and IT device onboarding automates AAA user identification, device profiling and posturing, 802.1X provisioning, and remediation, so its easy for employees to get their devices on-net and comply with security policy.

2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

At-A-Glance

Automated Device Security Provides device posture check and remediation options, including the lightweight Cisco NAC Client for desktop/laptop checks and integration* with many market leading mobile MDM solutions so its easy for users to keep their devices secure and policy-compliant. Dependable Anywhere Access ISE provisions policy on the network access device in real time, so mobile or remote users can get consistent access to their services from wherever they enter the network. Operational Efficiency Onboarding and security automation, central policy control, visibility, troubleshooting and integration with Cisco Prime means IT and the helpdesk will spend far less time on user and network security fixes. Embedded Enforcement Device-sensing capabilities are built into most Cisco switches and wireless controllers to extend profiling network-wide without the costs and management of overlay appliances or infrastructure rip and replace . Solution Ecosystem Technology partner platform integration with ISE provides IT organizations a consistent method of making their IT platforms identity, device and policy aware. Integration with ISE also enables partner platforms to provide context to ISE for inclusion in network access policy as well as the ability to reach into the Cisco network infrastructure so that executing network actions, like quarantining and limiting access, on users and devices is possible. Next-generation Policy Networking ISE is the policy control point for Cisco TrustSec, a next-generation network technology that controls access on the network perimeter and within the network; at the point of access into a company resource. TrustSec and ISE together helps turn business policy into network policy, and give users seamless anywhere access to resources. Cisco TrustSec makes it easy for customers to migrate to next-generation policy networking, increasing the value of their ISE and Cisco network investment.

Deployment Components
The Identity Services Engine can use most Cisco network devices as device profiling sensors and access enforcement points. It is also capable of extending authentication services on most 802.1X-compliant devices, although profiling may require a specialized architectural design. Additional deployment components include Cisco NAC Agent, Cisco AnyConnect, or the native 802.1X supplicant on the endpoint; Cisco partner MDM solutions*, Cisco Catalyst switches and Cisco wireless LAN controllers acting as policy enforcement points for the LAN; and Cisco Adaptive Security Appliances (ASA) for secure remote access. Cisco Identity Services Engine also integrates with directory services such as Microsoft Active Directory and Sun ONE Directory Server as policy information points.

Packaging and Licensing

The Cisco Identity Services Engine is available as either a physical or virtual appliance. Licensing options allow customers to choose the functionality they need, based on the number of active endpoints on the network. Depending on environment and policies, existing ACS and NAC customers can consider migrating to ISE. ISE is the natural evolution of the endpoint access services currently provided by ACS and the NAC portfolio. * Estimated Availability in 3rd Quarter of CY2013.

2013 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C45-654884-07 05/13